DDE Exploitation Detection

So DDE vulnerability/feature (open to debate) is hot and it
is being used not only by high profile APT actors like FIN7, but also by
several other threat actors, like cyber criminals infecting machines with Locky
or Hancitor etc.

Lets see how can we detect the malicious files as well as
the typical infection process using DDE feature.

So here is a word doc file which seemingly looks empty but
there are two hidden objects.

Md5: f5564925dd68e23672d898e0a590340e

The first thing I will come across is this message, which I
should say “No” to.

So I go ahead and click on “No” and I see a word file
without any text

The trick is to try Ctrl+A to select everything in the word file and I
can seem two invisible boxes selected.

The first box is nothing, maybe a decoy. The second small
box is the “Field” element, which contains the Formula to be updated. What is
that formula, let us have a look at it:

I select it, right click and say “Toggle Field Codes”..and
Ta-da! I can see some code, which could have ben executed if I would have said
“Yes” initially.

A simple command to run PowerShell, to download a malicious
PS script and execute it.

Let us have a quick look at this script:

I copy the above to a notepad and as expected this is a base64
encoded text, which decodes to a powershell script

For DOCX files, since it is a compressed file, I had to decompress
it and navigate inside “word” folder and then run grep to identify the strings
inside the files. I looked for string “DDE”, “powershell”, “webclient”